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Legal Note: The buying party agrees that Pastor Manul Laphroaig and his merry band of Reverse Engi- 

neers lift the hood from the Engine That Runs the World must be copied and shared with all neighbors, as 
defined by previously agreed-upon language, until the year 2104. The buying party also agrees that, at any 
time during the stipulated 88 year period, the seller may legally plan and attempt to execute one (1) heist 
or caper to steal back this issue of PoC||GTFO, which, if successful, would return all ownership rights to 
the seller. Said heist or caper can only be undertaken by currently active clergy of the Church of the Weird 
Machines and/or neighbor Dan Kaminsky, with no legal repercussions. 

Reprints: Bitrot will burn libraries with merciless indignity that even Pets Dot Com didn’t deserve. Please 

mirror-don’t merely linkl-pocorgtfol0.pdf and our other issues far and wide, so our articles can help fight 

the coming robot apocalypse. We like the following mirrors. 

https : //pocorgtf o .hacke .rs/ 

https : //www . alchemistowl . org/pocorgtf o/ 

http : / / www . sultanik . com/ pocorgtf o/ 

http : / / openwall . info/wiki/people/ solar/pocorgtf o 

Technical Note: The polyglot file pocorgtfol0.pdf is valid as a PDF, as a ZIP file, and as an LSMV 

recording of a Tool Assisted Speedrun (TAS) that exploits Pokemon Red in a Super GameBoy on a Super 
NES. The result of the exploit is a chat room that plays the text of PoC||GTFO 10:3. 

Run it in LSNES with the Gambatte plugin, the Japanese version of the Super Game Boy ROM and the 
USA/Europe version of Pokemon Red. 

. / lsnes — libr ary=gambatte / core . so 



Printing Instructions: Pirate print runs of this journal are most welcome! PoC||GTFO is to be printed 

duplex, then folded and stapled in the center. Print on A3 paper in Europe and Tabloid (11” x 17”) paper 
in Samland. Secret government labs in Canada may use P3 (280 mm x 430 mm) if they like. The outermost 
sheet should be on thicker paper to form a cover. 

# This is how to convert an issue for duplex printing. 
sudo apt-get install pdf jam 

pdfbook --short-edge --vanilla --paper a3paper pocorgtfol0.pdf -o pocorgtfolO-book.pdf 



Preacherman 
Ethics Advisor 
Poet Laureate 
Editor of Last Resort 
DTf^Xnician 

Editorial Whipping Boy 
Funky File Formats Polyglot 
Assistant Scenic Designer 
Minister of Spargelzeit Weights 



Manul Laphroaig 
The Grugq 
Ben Nagy 
Melilot 
Evan Sultanik 
Jacob Torrey 
Ange Albertini 
Philippe Teuwen 
Measures FX 



2 






1 Please stand; now, please be seated. 



Neighbors, please join me in reading this 
eleventh release of the International Journal of Proof 
of Concept or Get the Fuck Out, a friendly little col- 
lection of articles for ladies and gentlemen of distin- 
guished ability and taste in the field of software ex- 
ploitation and the worship of weird machines. This 
is our eleventh release, given on paper to the fine 
neighbors of Washington, D.C. 

If you are missing the first ten issues, we the edi- 
tors suggest pirating them from the usual locations, 
or on paper from a neighbor who picked up a copy of 
the first in Vegas, the second in Sao Paulo, the third 
in Hamburg, the fourth or eighth in Heidelberg, the 
fifth in Montreal, the sixth in Las Vegas, the sev- 
enth from his parents’ inkjet printer, the ninth in 
Montreal, or the tenth in Novi Sad or Stockholm. 

Our sermon today, to be found on page 4, is a 
sordid tale in the style of a Dickensian ghost story. 
Pastor Laphroaig invites us to the anatomical the- 
ater, where helpless tamagotchis are disassembled in 
front of an audience, for FUN\ 

Page 7 contains a delightfully sophisticated and 
reliable exploit for Pokemon Red on the Super 
GameBoy, starting from a save-game glitch, then 
working forward through native Z80 code execution 
to native 65C816 code on the host Super NES. They 
do all of this on real hardware with scripted access 
to only the gamepad and the reset switch! 

Keeping up our tradition of shipping in funky 
file formats, this PDF is a new polyglot! Page 24 
contains the details for how this PDF is also an ex- 
ploit, loading Pokemon Plays Twitch in the Lsnes 
emulator. 

Micah Elizabeth Scott is becoming a regular con- 
tributor to this journal, and we eagerly await each 
of her submissions. Page 26 contains her notes on 
ARM’s replacement for JTAG, called Single Wire 
Debug or SWD. Driving SWD from an Arduino, 
she’s able to move the target machine like a mari- 
onette, scripted from literate HTML5 programming 
with powerful new elements such as swd-hexedit. 

When we heard that Amanda Wozniak was con- 
tracted to reverse engineer a pregnancy test, but 
never paid for the work, we quickly scrounged up five 
Canadian loonies to buy the work as scrap. Page 32 
contains her notes, and we’ll happily pay five more 
loonies to the first use of this technology in a Hack- 
aday marriage proposal or shotgun wedding. 
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On page 39, Peter Ferrie shares tricks for break- 
ing the copy protection of dozens of Apple ] [ games. 
When we told Peter to keep his notes to six pages, 
he laughed and dared us to find tricks worth cut- 
ting from his article. Accordingly, our cutting-room 
floor is empty and this article is the most complete 
collection of Apple ] [ cracking techniques in modern 
publication. 

Travis Goodspeed has been playing with Dig- 
ital Mobile Radio (DMR) lately, a competitor to 
TETRA and P25 that is used for amateur ra- 
dio, as well as trunked radio for businesses and 
cash-strapped police departments. Page 76 con- 
tains his notes for jailbreaking the Tytera MD380’s 
bootloader, dumping all of protected memory, then 
patching its application to enable promiscuous 
mode. These tricks should also work on the CS700, 
CS750, and a variety of other DMR handhelds. 

On page 88, the last and most important page, 
we pass around the collection plate. We don’t need 
your dimes, but we’d love some nifty proofs of con- 
cept. 
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2 Three Ghosts and a Little, Brown Dog 



a sermon by Pastor Manul Laphroaig 



Rise, neighbors, and in the tradition of the sea- 
son, let’s have a conversation with spirits of the past, 
the present, and the future. We will head to a dis- 
reputable place, a place of controversy where, ac- 
cording to the best moral authorities, irresponsible 
people do foul things for fun— a place of scandalous, 
wholesale wickedness which must be stopped! 

Yes, neighbors, we are heading to an anatom- 
ical theater , to observe its grim denizens at their 
grisly pastime. While some dissect carcasses, the 
rest watch from rows of seats. They call it learn- 
ing and finding things out— even though most of 
what meets the eye looks like merely breaking things 
apart. They say they are making things better- 
even curing diseases!— though there are highly titled 
authorities with certified diplomas and ethically ap- 
proved methodologies who make it their business to 
improve things “holistically,” without all this discon- 



certing breakage and cutting things off. Truly, if this 
doesn’t beg the question of “How is this allowed?” 
then what does? 

There was a time, neighbors, when anatomy 
didn’t mean trying to guess how a thing functioned 
by dissecting a specimen. When Andreas Vesal- 
ius published his classic human anatomy atlas with 
its absolute priority of dissection for learning what 
was and what was not true about the human body, 
his fixation on biological disassembly was a scandal. 
A proper anatomy book was understood to include 
Aristotle’s four humors and a fair bit of astrology; 
imagine how regressive Vesalius’ fixation on cutting 
things apart to find their function must have looked! 
Even when he became a royal court physician, other 
learned physicians called him a barber— for everyone 
knew that only barbers and sawbones used blades. 
Until Victorian times, a doctor was a gentleman, 
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and a surgeon wasn’t. Testing the patient’s urine 
was fine, but taking knives to one was simply below 
a proper doctor’s station. 

Vesalius’ dissection-bound atlas became an in- 
stant hit, though. It turned out that going into spe- 
cific techniques of dissection— place a rope here and 
a pulley there— so that others would replicate it was 
exactly what was needed; the venerable signs and el- 
ements, on the other hand, not so much. Which did 
not save Vesalius from having to undertake an emer- 
gency trip to far-away lands for an obscure reason, 
dying in abject poverty on the way. He died before 
the first dedicated anatomical theater was built in 
1594, by which time anatomy finally meant what he 
had made it mean. 

Ah, but that was then and now is now! The 
year is 1902, and physiology is the latest scandal. 
Again, moral delinquents and their supporters are 
doing something loathsome: vivisection. Again, 

they come up with excuses: it’s all about finding 
out how things work, they say; some kind of knowl- 
edge that makes them different from the uninitiated, 
we hear. And even if there was knowledge to be 
gained, could it really be trusted to such an imma- 
ture and irresponsible crowd? Stuck to their— not 
so innocent— toys and narrowly focused views, they 
can’t even see the bigger ethical picture! They cater 
to and are occasionally catered by truly objection- 
able characters— and then have the gall to shrug it 
off. They talk about education, but who in their 
right mind would let them near children? Too bad 
there isn’t a general law against them yet, and the 
establishment is dragging its feet (or even has its 
own uses for them, no doubt disgusting)— but the 
stride of social progress is catching up with them, 
and, with luck, there soon will be! 

That was the year of high court drama, a pitched 
battle between people who each believed to em- 
body “social progress” against “superstition” on both 
sides. It saw rallies by socialists and riots by medi- 
cal students, scientists and suffragettes, British lords 
and Swedish feminists— and a lot more, including 
its own commemorative handkerchief merchandise. 
It is immortalized in history as The Brown Dog af- 
fair, one so dramatic that even the Wikipedia arti- 
cle about it makes for good reading. Incidentally, 
the experiment involved led to the discovery of hor- 
mones. 



1 unzip pocorgtfol0.pdf adventure.pdf 



So says the Ghost of Science Past, but we bid 
him to haunt us no longer. There is another, more 
cheerful Spirit to occupy our attention— the Spirit of 
the Present. This is a more cheerful Spirit, involv- 
ing pets only as cute pictures thereof— and lots of 
them!— much to the relief of those who think neither 
Schrodinger nor Pavlov would make good friends. 

But this Spirit isn’t left without attention from 
our moral betters. What about the children? What 
about the lowlives and the criminals whom we em- 
power by our so-called knowledge? What about 
the bullies, the haters, the thieves, the spies, the 
despots, and even— the terrorists? Would a good 
thing be called exploitation or pwnagel This new 
reality is so scary to some people that their response 
goes straight to nuclear; they call for a Manhattan 
project , but what they really mean is “nuke it from 
orbit.” To some, it’s even about evil “techno-priests” 
hijacking “true social progress”— or at least it sells 
their books. 

Nor is this Spirit’s domain devoid of court 
drama, even in our enlightened times— although 
looking where we tend to fall on the scale between 
Vesalius and Lord Alverstone’s Old Bailey, one be- 
gins to wonder just where the light is going. No 
wonder the Spirit of the Hacking Present looks some- 
what frayed around the edges. 

Why wait for the Specter of the Future to make 
an appearance? I say, neighbors, let’s make like 1594 
at the University of Padua— back when a university 
used to have quite a different place in this game of 
ghosts— and have our own Anatomical Theater, a 
Theater of Literate Disassembly! 

Just as Knuth described Adventure with Liter- 
ate Programming, 1 we’ll weave together the disas- 
sembled code of a live subject with expert explana- 
tions of its deeper meaning. (Of course the best part 
might well be a one liner, but we’ll save the reader 
hours of effort!) We’ll weave a log and a transcript 
into an executable script that reproduces the cuts of 
a Master Surgeon, stroke by stroke. 

It is high time. We have been doing our dissec- 
tions alone— with none or few to watch and learn— 
long enough. Let other neighbors watch your disas- 
sembly, show them your technique, and let them get 
a good view and share the fun. 

As the good old U. of Padua preserved its the- 
ater, so shall we! And then perhaps the Specter of 
the Future will smile upon us. 
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V 



Stage 0: Inject __ _ _ _ 

useful data by 1^1 nr 



naming the 
rival RxRx'k and 
resetting while 
saving to get 
255 Pokemon. 




Stage 1: Swap Pokemon 
and items to get rival's 
name in items list, toss 
items to form a button 
reading payload, and 
leave menu to execute it. 



GAME BOY 



_ 



super menu o 




Stage 2: Press buttons to 
write two command 
packets in memory one 
nibble per frame, overwrite 
jump to execute. 

Stage 3: Escape SGB, hang 
Pokemon to stop music, 
read a set number of 
button presses 1 byte per 
frame to write a faster 
transfer method and 
execute it. 



Stage 4: At 3,840 bytes per 
second (4 controllers of 2 
bytes at 60 frames per 
seconds), write a block 
transfer loader into memory 
and execute it. 

Stage 5: Use block loader to 
transfer intended SNES 
payload of variable length 
and execute it. 




Stage 6: Reset SNES to 
I clear state, execute 
Twitch chat interface, 
read text in 5-bit or 7-bit 
encodings, respond to 
control packets to 
display web view, make 
Twitch chat say Hi, win 
the Internet. 
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3 Pokemon Plays Twitch 

by Allan Cecil (dwangoAC), Ilari Liusvaara (Ilari) and Jordan Potter (p4plus2) 




For the Awesome Games Done Quick (AGDQ) 
2015 charity marathon we exploited a chain of un- 
modified Nintendo game console components con- 
sisting of a Pokemon Red Game Boy cartridge in a 
Super Game Boy running in a Super Nintendo. We 
plugged the latter into custom hardware posing as 
a normal controller. In this seven- stage exploit, we 
corrupted a save file to give ourselves 255 Pokemon, 
swapped Pokemon, and tossed items to plant shell- 
code. We committed a series of atrocities using 
documented command packets and ultimately broke 
into the Super Nintendo’s working RAM, where we 
wrote our own chat interface to display live contents 
of the Twitch chat and even a representation of a de- 
faced website. 

3.1 TAS’ing a Game to execute Ar- 
bitrary Code 

TASVideos 2 hosts Tool-Assisted Speedruns of 
games that are created using an emulator with speed 



controls such as slow motion and frame advance, 
along with the ability to save and restore the state 
of the game (or, rather, of the entire console) at any 
time. TAS movie files consist of a list all of the but- 
ton presses sent to the console every frame from the 
time it is powered on until the game is beaten. It 
aids our poor human reflexes, but it can do a lot 
more— like arbitrary code execution! 

The first run on the site to use this ability to 
execute arbitrary code to jump to the credits of 
a game was Masterjun’s Super Mario World run. 
Later, Bortreb used arbitrary code execution in a 
run of Pokemon Yellow, marking the first time ex- 
ternal content was added to an existing game. 

In late 2013, dwangoAC worked with Ilari and 
Masterjun to present a run at AGDQ 2014 that 
programmed the games Snake and Pong into Super 
Mario World on a real console using a replay device 
(also known as a “bot”) from True. 3 This was a huge 
success and was covered by Ars Technica, but we 
knew that we could do even more, which ultimately 
led us to the project described in this article. 4 

3.2 The Game Choice 

We started with an end-goal of executing arbi- 
trary code on a Super Nintendo (SNES) using a 
Super Game Boy (SGB) cartridge as the entry 
point. We initially planned to use Pokemon Yel- 
low based on Bortreb ’s exploit in that game, but 
quickly discovered that the SGB detection routine 
used by Pokemon Yellow is extremely broken and 
only worked on a real SGB by pure chance. 5 Af- 
ter looking at other options, we chose to use the 
Pokemon Red version, which uses a more reliable 
SGB detection routine that gets us access to the 
full SGB palette, a custom border, and consistent 
timing benefits we’ll discuss later. 6 Using Pokemon 



2 http : //tasvideos . org 

3 http : / / truecontrol . org 

4 It should also be noted that all recent AGDQ events have directly benefited the Prevent Cancer Foundation which was a 
huge motivator for several of us who worked on this project. The block we presented this exploit in at AGDQ 2015 helped raise 
over $50K and the marathon as a whole raised more than $1.5M toward cancer research, making this project a huge success on 
multiple levels. 

5 In brief, the detection routine is extremely sensitive to how many DMG clock cycles various operations take; the emulator 
is likely slightly inaccurate, which causes the detection to fail, but from looking at the behavior it seems like it “just works” on 
the real hardware. This is sheer luck, and the game developers likely never even knew it was so fragile. 

6 If the SGB BIOS does not find the special codes in the DMG game header that indicate it’s an SGB-enabled game ($146 
equal to $03), it locks up the command channel until the game is reset, rendering any SGB based exploitation impossible. See 
http://gbdev.gg8.se/wiki/articles/The_Cartridge_Header for more details. 
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Red also has another added benefit in that the entire 
game has been skillfully disassembled. 7 



3.3 The Emulator 

When we started this project in August 2014, the 
only emulator capable of emulating an SGB inside of 
an SNES at a low enough level for our needs was the 
BSNES emulator. Unfortunately, although BSNES 
is very accurate at emulating an SNES, it doesn’t do 
a very good job of emulating an SGB. The Gambatte 
Dot-Matrix Game Boy (DMG) emulator is likewise 
very accurate, but is unable to emulate an SGB on 
its own. Ilari was able to create a hybrid emulation 
core using BSNES to emulate the SNESe^DMG in- 
terface chip while using Gambatte for DMG emula- 
tion. This was a considerable undertaking, but in 
the end the emulator was very usable, albeit some- 
what slow, as properly emulating the synchroniza- 
tion between the SNES CPU and the DMG CPU 
is a challenge. Ilari continued to provide emulator 
development and scripting support throughout the 
project. 



3.4 The Hardware 

We didn’t just want to exploit a game in the sandbox 
of a console emulator and call it a Proof of Concept. 
We wanted to do the job properly and create an ac- 
tual exploit that would work on real hardware. Only 
one member of our team (dwangoAC) had all of 
the required hardware in one place, namely a SNES 
console, a SGB cartridge, a copy of Pokemon Red, 
and the replay device posing as a controller, also 
known as a “bot.” 8 Because we wanted to stream 
data from an attached computer, we opted to use 
an older, serial-over-USB connected device, namely 
True’s NES/SNES Replay Device. This choice of 
hardware had a few limitations but worked out well 
for the project in the end. 




Figure 1 - The legendary TASBot 

3.5 The Plan 

We were initially unsure what kind of payload to 
create once we had gained the ability to execute 
arbitrary code on the SNES. Initially we investi- 
gated methods of showing crude video, but aban- 
doned it after spending far too much time failing to 
increase the datarate and running into limits with 
the processing speed of the SNES’s 65C816 CPU. 
An IRC discussion about Twitch Plays Pokemon 9 
led dwangoAC and p4plus2 to brainstorm what it 
would take to incorporate similar elements into our 
payload, and the concept of Pokemon Plays Twitch 
was hatched— where a Pokemon character enters a 
Twitch chat room and “plays” Twitch. In the end, 
we took it to the next level by giving Red a voice in 
a chat interface on the SNES and giving TASBot, 
the robot holding the replay board, the ability to 
speak through espeak and argue with Red. There’s 
much more to say about that, but let’s first get to 
the point where we can execute arbitrary code! 



7 unzip -j pocorgtfol0.pdf pokemon_plays_twitch/pokered-master . zip 

8 The term “bot” was originally used because it’s as if you have a robot playing the game for you; dwangoAC later attached 
one of these replay devices to a R.O.B. robot as shown in Figure 1 and after presenting Pong and Snake on SMW, the name 
TASBot came to be associated with the combination as described at http://tasvideos.org/TASBot. 

9 A way of crowdsourcing gameplay by parsing commands sent over IRC. 
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